From owner-freebsd-current@freebsd.org Wed Mar 31 11:26:09 2021 Return-Path: Delivered-To: freebsd-current@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id B14225C44ED for ; Wed, 31 Mar 2021 11:26:09 +0000 (UTC) (envelope-from joneum@FreeBSD.org) Received: from toco-domains.de (mail.toco-domains.de [176.9.100.27]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4F9PC52lmqz3Ckv for ; Wed, 31 Mar 2021 11:26:08 +0000 (UTC) (envelope-from joneum@FreeBSD.org) Received: by toco-domains.de (Postfix, from userid 65534) id 44FD9C9475; Wed, 31 Mar 2021 13:26:06 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on toco-mail X-Spam-Level: X-Spam-Status: No, score=-2.9 required=4.0 tests=ALL_TRUSTED,BAYES_00, NICE_REPLY_A,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.4 Received: from Jochens-MacBook-Pro.local (ip-178-202-191-19.hsi09.unitymediagroup.de [178.202.191.19]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by toco-domains.de (Postfix) with ESMTPSA id 0B505C946C; Wed, 31 Mar 2021 13:26:03 +0200 (CEST) Subject: Re: Blacklisted certificates To: Christoph Moench-Tegeder , freebsd-current@freebsd.org References: From: Jochen Neumeister Message-ID: Date: Wed, 31 Mar 2021 13:26:02 +0200 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0) Gecko/20100101 Thunderbird/78.9.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Content-Language: de-DE X-Rspamd-Queue-Id: 4F9PC52lmqz3Ckv X-Spamd-Bar: / Authentication-Results: mx1.freebsd.org; none X-Spamd-Result: default: False [0.00 / 15.00]; local_wl_from(0.00)[FreeBSD.org]; ASN(0.00)[asn:24940, ipnet:176.9.0.0/16, country:DE] X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 31 Mar 2021 11:26:09 -0000 Am 31.03.21 um 13:02 schrieb Christoph Moench-Tegeder: > ## Jochen Neumeister (joneum@FreeBSD.org): > >> Why are this certificates blacklisted? > Various reasons: > - Symantec (which owned Thawte and VeriSign back in the time) made > the news in a bad way: > https://www.theregister.com/2017/09/12/chrome_66_to_reject_symantec_certs/ > - some certificates are simply expired > - some certificates use SHA-1 ("sha1WithRSAEncryption") which is > beyond deprecated > - and basically "whatever Mozilla did", as the certificates are > imported from NSS. how can I ignore the certificates now? So now everyone has this problem with an update Greetings Jochen